b'                            CTOR\n                      SPE          GE\n                 IN                     N\n             F                              E\n         O                                      R\n     E\n\n\n\n\n                                                A\n C\n\n\n\n\n                                                    L\nFI\nOF\n\n\n\n\n                                                        OFFICE OF INSPECTOR GENERAL\n                                                             EXPORT-IMPORT BANK\n                                                              of the UNITED STATES\n\n\n\n\n                       Fiscal Year 2012\n                     Financial Statement\n                  Audit - Management Letter\n\n\n\n                                                                       January 23, 2013\n                                                                         OIG-AR-13-02\n\x0cTo:        David Sena\n           Senior Vice President and Chief Financial Officer\n           Joseph Sorbera\n           Vice President - Controller\n           Nathalie Herman\n           Vice President - Treasurer\n           Fernanda Young\n           Chief Information Officer\n\nFrom:      Rebecca L. Sharek\n           Assistant Inspector General for Audits\n\nSubject:   Fiscal Year 2012 Financial Statement Audit - Final Management Letter\n           OIG-AR-13-02\n\nDate:      January 23, 2013\n\n\nThis memorandum transmits Deloitte and Touche LLP\xe2\x80\x99s Management Letter of the\nExport-Import Bank of the United States (Ex-Im Bank) financial statements for fiscal\nyear ended 2012. Under a contract monitored by this office, we engaged the\nindependent public accounting firm of Deloitte and Touche to perform the audit.\nThe contract required the audit to be done in accordance with: United States\ngenerally accepted government auditing standards; Office of Management and\nBudget audit guidance; and the Government Accountability Office/President\xe2\x80\x99s\nCouncil on Integrity and Efficiency Financial Audit Manual.\n\nDeloitte and Touche identified deficiencies related to the Ex-Im Bank\xe2\x80\x99s internal\ncontrol over financial reporting and other matters that needed your attention. The\nobservations, recommendations, and your responses regarding such matters are\npresented in the Attachment.\n\nDeloitte and Touche is responsible for the attached management letter dated\nJanuary 16, 2013 and the conclusions expressed in the letter. We do not express\nopinions on Ex-Im Bank\xe2\x80\x99s financial statements or internal control or conclusions on\ncompliance with laws and regulations.\n\nWe appreciate the cooperation and courtesies provided to Deloitte and Touche and\nthis office during the audit. If you have questions, please contact me at (202) 565-\n3169 or rebecca.sharek@exim.gov.\n\n\n                  811 Vermont Avenue, NW Washington, D.C. 20571\n\x0c                                                                             2\n\n\nAttachment\n\n\ncc:   Fred Hochberg, Chairman and President\n      Alice Albright, Executive Vice President and Chief Operating Officer\n      Audit Committee\n      Michael Cushing, Senior Vice President \xe2\x80\x93 Resource Management\n\n\n\n\n                 811 Vermont Avenue, NW Washington, D.C. 20571\n\x0cJanuary 16, 2013\n\n\nManagement of the Export-Import Bank of the United States\n811 Vermont Avenue NW\nWashington, D.C. 20571\n\nDear Members of Management:\n\nIn planning and performing our audit of the financial statements of Export-Import Bank of the United\nStates (\xe2\x80\x9cEx-Im Bank\xe2\x80\x9d) as of and for the year ended September 30, 2012 (on which we have issued our\nreport dated November 14 , 2012), in accordance with auditing standards generally accepted in the United\nStates of America, the standards applicable to the financial audits contained in the Government Auditing\nStandards, issued by the Comptroller General of the United States, and Office of Management and\nBudget Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended, we\nconsidered the Ex-Im Bank\xe2\x80\x99s internal control over financial reporting as a basis for designing audit\nprocedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on\nthe effectiveness of the Ex-Im Bank\xe2\x80\x99s internal control over financial reporting. Accordingly, we do not\nexpress an opinion on the effectiveness of the Ex-Im Bank\xe2\x80\x99s internal control over financial reporting. This\nreport is based on our knowledge as of the date of our report on the financial statements, obtained in\nperforming our audit thereof, and should be read with that understanding.\n\nOur consideration of internal control over financial reporting was for the limited purpose described in the\npreceding paragraph and was not designed to identify all deficiencies in internal control over financial\nreporting. However, in connection with our audit, we identified, and included in Section I, deficiencies\nrelated to the Ex-Im Bank\xe2\x80\x99s internal control over financial reporting and other matters as of\nSeptember 30, 2012, that we wish to bring to your attention.\n\nBased on our audit work, we believe management adequately addressed the significant deficiency,\n\xe2\x80\x9cSubsidy Re-estimate on Foreign Transactions\xe2\x80\x9d, reported in our prior-year\xe2\x80\x99s Independent Auditors\xe2\x80\x99\nReport on Internal Control over Financial Reporting and On Compliance and Other Matters Based upon\nthe Audit Performed in Accordance With Government Auditing Standards. Furthermore, Ex-Im Bank\nadequately addressed the deficiencies reported in our fiscal year (FY) 2011 management letter (see\nAPPENDIX A).\n\nThe definitions of a deficiency, a material weakness, and a significant deficiency are set forth in\nSection III.\n\nAlthough we have included management\xe2\x80\x99s written response to our comments in Section I , such responses\nhave not been subjected to the auditing procedures applied in our audit of the financial statements and,\naccordingly, we do not express an opinion or provide any form of assurance on the appropriateness of the\nresponses or the effectiveness of any corrective actions described therein.\n\x0cThis report is intended solely for the information and use of management, the Audit Committee, the\nInspector General, and others within the organization and is not intended to be, and should not be, used by\nanyone other than these specified parties.\n\nYours truly,\n\n\n\n\ncc: The Inspector General of the Export-Import Bank of the United States and the Audit Committee of the\n    Export-Import Bank of the United States\n\n\n\n\n                                                   -2-\n\x0cSECTION I \xe2\x80\x94 DEFICIENCIES\n\nWe identified, and have included below, deficiencies involving the Ex-Im Bank\xe2\x80\x99s internal control over\nfinancial reporting as of September 30, 2012, that we wish to bring to your attention:\n\nUpdated Budget Cost Level (BCL) Risk Rating Relied On Inaccurate Information\n\nCondition:\n\nDuring the annual risk rating update process performed by the Transportation Portfolio Monitoring\nDivision (TPMD), we noted multiple instances where inaccurate information was relied upon to establish\nthe BCL risk rating. Some of these inaccuracies include:\n\na) Incorrect foreign currency translation rates were used to convert financial statements to US dollars for\n   the financial analysis.\n\nb) Incorrect average collateral values were used in the collateral analysis to support risk rating upgrades.\n\nc) Risk rating factors for the country risk in the Asset Management System (AMS) did not agree to Ex-\n   Im Bank\xe2\x80\x99s BCL Schedule.\n\nThe above inaccuracies did not change the approved risk ratings at year-end and therefore did not result in\na misstatement in the financial statements.\n\nCriteria:\n\nThe BCL risk rating should be updated based on accurate information.\n\nCause:\n\nThe deficiency was due to the fact that TPMD officers do not perform a detailed review for accuracy of\nthe information used for risk rating update.\n\nEffect or potential effect:\n\nInaccurate information used by TPMD could result in incorrect BCL risk ratings being applied to credits.\nAn incorrect BCL risk rating may cause the year-end allowance and subsidy to be misstated.\n\nRecommendation:\n\nWe recommend management enhance the review process of the information relied upon by TPMD prior\nto submission of the risk rating to the Vice President of TPMD for approval.\n\nManagement Response:\n\nManagement agrees with the recommendation. A two-tier review process will be established and prior to\nsubmission of risk ratings for the review and approval of the Vice President of TPMD, the risk ratings\nwill be provided to the Senior Portfolio Manager of TPMD for review.\n\n\n\n\n                                                    -3-\n\x0cInconsistency in BCL Risk Rating Between the Loans and Guarantees Accounting\nSystem (LGA) and Asset Management System (AMS)\n\nCondition:\n\nAfter all risk ratings are finalized at the end of August, the interaction between the LGA system and AMS\nis closed to prevent further changes to the BCL risk rating. The monitoring groups are required to report\nany subsequent BCL changes to the Office of the Controller to be changed directly in the LGA system. At\nSeptember 30, 2012, the BCL risk rating in the LGA system should agree to the AMS system. During our\ntest of the BCL risk rating, we identified one incident where the BCL risk rating in the LGA system did\nnot correspond to the approved risk rating in AMS at September 30, 2012. The change in the risk rating\noccurred after August 31, 2012 and did not affect the subsidy re-estimate, which was performed based on\nthe correct BCL risk rating as of August 31, 2012.\n\nCriteria:\n\nThe BCL risk rating in the LGA system should agree to the approved risk rating in AMS at September 30,\n2012.\n\nCause:\n\nThe difference in BCL risk rating between AMS and the LGA system was due to a typographical error\nmade by the TPMD during its review of BCL risk rating after August 31, 2012, which resulted in an\ninappropriate change in the risk rating in the LGA system by the Office of the Controller.\n\nEffect or potential effect:\n\nThe potential misstatement resulting from the incorrect BCL Risk Ratings in the LGA system at\nSeptember 30, 2012 would be limited to disclosure related errors for the weighted average BCL.\n\nRecommendation:\n\nWe recommend that the monitoring groups review all changes made in the LGA system after August 31\nby the Office of the Controller to ensure that changes to BCL risk ratings are appropriate. Further, we\nrecommend that communications from the monitoring groups to the Office of the Controller include\nspecific instructions if changes to risk ratings are required after August 31st.\n\nManagement Response:\n\nManagement agrees with the recommendation. Subsequent to the August 31 st portfolio review, the Office\nof the Controller will provide to the respective monitoring groups a list of proposed changes for\nconcurrence prior to making any changes in the LGA system.\n\nInaccurate Repayment Schedule in the LGA System\n\nCondition:\n\nRepayment schedules are set up in the LGA system according to the executed guarantee agreements.\nChanges to guarantee repayment schedules are made in the LGA system if the agreement is amended.\nDuring our confirmation testing, we identified two guarantees that had incorrect repayment information in\nthe LGA system. Information in the LGA system did not agree to the executed guarantee agreements.\n\n\n\n                                                  -4-\n\x0cCriteria:\n\nTransaction information in the LGA system should agree to the executed guarantee agreement.\nAmendments to the agreement should be reflected in the LGA system.\n\nCause:\n\nAfter a transaction is approved or amended, Financial Analysts are required to review the information\nentered into the LGA system against the executed guarantee agreements to ensure that information in the\nLGA system, including the repayment schedule, is accurate. Due to many changes in procedures and\npersonnel during FY 2011 and FY 2012, review of the information in the LGA system against the\nexecuted agreement was ineffective.\n\nEffect or Potential Effect:\n\nOutstanding guarantees balance was overstated by approximately $100,000 at September 30, 2012\n\nRecommendation:\n\nWe recommend that the Financial Analysts review and compare information for all transactions in the\nLGA system against the final approved executed agreements and amendments.\n\nManagement Response:\n\nManagement agrees with the recommendation. A Loan and Guarantee Servicing staff will review the\naccuracy of repayment schedules data input by Financial Planning and Portfolio Review Division against\nthe final credit agreements and amendments.\n\nInaccurate Information Used for Subsidy Calculation\n\nCondition:\n\nWe noted certain instances where management used incorrect information related to commitment fees in\nthe subsidy calculation. Additionally, we also noted other instances where the preliminary information\nused for the subsidy calculation was not updated as per the final executed agreement.\n\nCriteria:\n\nSubsidy for all transactions should be calculated using the information as per the final executed\nagreement.\n\nCause:\n\nIncorrect information related to commitment fees was used when the subsidy was calculated.\nAdditionally, in some instances, preliminary information was used instead of information as per the final\nexecuted agreement.\n\nEffect or potential effect:\n\nNegative subsidy or program revenue for transactions authorized during the fiscal year ended\nSeptember 30, 2012 was understated by approximately $4.6 million or 0.22%. The understated amount\nwas corrected through the subsidy reestimate performed at September 30, 2012\n\n\n                                                   -5-\n\x0cRecommendation:\n\nWe recommend Ex-Im Bank adds a second level of review on the subsidy calculation prior to releasing\nthe approved or amended transactions into the LGA system.\n\nManagement Response:\n\nManagement agrees with the recommendation. For large transactions requiring Board of Director\xe2\x80\x99s\napproval, two staff of the Financial Planning and Portfolio Review Division will perform the subsidy\ncalculation and compare answers for accuracy. For transactions not requiring Board of Director\xe2\x80\x99s\napproval, a Financial Planning and Portfolio Review Division staff will perform a program budget\nvalidation control semiannually for deals authorized throughout the fiscal year. Any differences between\nthe estimate calculation and the actual subsidy amounts greater than l00bps will be analyzed for potential\nerrors.\n\nIncorrect Accrual Status of Rescheduled Loans Written Off In Prior Years\n\nCondition:\n\nManagement identified an instance where a rescheduled loan, though written off during FY 2005, was\naccruing interest income. Management extended its review and performed a detailed analysis to check if\nthere were other similar instances where interest income was accruing on written-off loans. There was no\nother instance noted by management. \xe2\x80\x9cAccrual\xe2\x80\x9d status and the interest income for the above identified\nloan were corrected by management in the current year.\n\nCriteria:\n\nRescheduled loans written off in previous years should not have \xe2\x80\x9caccrual\xe2\x80\x9d status where it continues to\naccrue interest income.\n\nCause:\n\nThe status of rescheduled loan was changed from \xe2\x80\x9cnon-accrual\xe2\x80\x9d to \xe2\x80\x9caccrual\xe2\x80\x9d during a system migration in\nprevious years in error.\n\nEffect or Potential Effect:\n\nInterest income and loan receivable balance as of September 30, 2011 was overstated by $59 million. An\nadjusting entry was recorded by management in the current year to correct interest income and loan\nreceivable balance.\n\nRecommendation:\n\nWe recommend that the Loan Guarantee Servicing Division perform a thorough review of \xe2\x80\x9caccrual\xe2\x80\x9d\nstatus of loans on a regular basis.\n\nManagement Response:\n\nManagement agrees with the recommendation. At the time this issue was found, the Loan and Guarantee\nServicing Division performed a review of all Rescheduled-loans and determined no other issues were\nnoted. Additionally, the Loans and Guarantee Servicing Division will perform monthly reviews of the\nloan accruals to ensure the accuracy of the accruals.\n\n\n                                                   -6-\n\x0cIncorrect Allowance for Loan Loss Journal Entry\n\nCondition:\n\nDuring our testing of allowance for loan loss, we noted a journal entry for pre-credit reform claims loss\nreserve was recorded in reverse.\n\nCriteria:\n\nCalculation of loss reserve is performed to determine where additional loss is expected by Ex-Im Bank.\nAccordingly, a journal entry is recorded by the Office of Controller to adjust the loss reserve to reflect an\naddition or reduction in the loss reserve.\n\nCause:\n\nThe incorrect journal entry was caused by a human error.\n\nEffect or Potential Effect:\n\nThough the incorrect journal entry was immaterial and did not result in a misstatement in the current\nyear\xe2\x80\x99s financial statements, such incorrect entries, especially relating to the loan loss, could potentially\nresult in a misstatement. Management corrected this error in the current year.\n\nRecommendation:\n\nWe recommend management enhance controls around the journal entry review process to detect any\nmisstatements that may potentially occur.\n\nManagement Response:\n\nManagement agrees with the recommendation. After adjusting entries are made, the Controller\xe2\x80\x99s Office\nwill prepare a schedule of the adjusted allowances and compare them to the allowance calculations\nprepared by the Financial Planning and Portfolio Review Division to ensure accuracy of entries.\n\nIncorrect Formula Used In the LGD Calculation\n\nCondition:\n\nThe Probability of Default (PD) and Loss Given Default (LGD) are components of the loss factors used to\ncalculate the loss reserve. We identified three formula errors in the PD/LGD calculations.\n\nCriteria:\n\nStatistical calculations and formula logic in PD/LGD model should be accurate.\n\nCause:\n\nInaccurate formulas were entered in the calculation by a financial analyst during the LGD calculation.\n\n\n\n\n                                                     -7-\n\x0cEffect or Potential Effect:\n\nIncorrect information used in the PD/LGD Model could cause a misstatement to the loss reserve. We\nnoted that the effect of these errors was immaterial to the current year\xe2\x80\x99s financial statements.\n\nRecommendation:\n\nWe recommend management perform a more detailed review of the formulas used in in the allowance for\nloan loss methodology, in order to detect any errors which may result in potential misstatements. A\ndetailed tie-out of the PD/LGD model and the default curve report is also recommended.\n\nManagement Response:\n\nManagement agrees with the recommendation. The Financial Planning and Portfolio Review Division\nplans to implement a review of the PD/LGD model similar to how it reviews the reestimate model.\n\nRetention of Daily Security Monitoring report\n\nCondition:\n\nFor 2 of the 15 haphazardly selected dates that we selected for testing, we noted that the Daily Security\nMonitoring report and actions taken on the report were not retained according to the Ex-Im Bank\nprocedures. The 2 days are January 9, 2012 and July 5, 2012. Based on the inspection of audit\ndocumentary evidence and corroborations with The Office of the Chief Information Officer (OCIO), we\ndetermined that a deficiency in operating effectiveness existed as the properly designed control did not\noperate as designed. After the completion of our fieldwork and reporting the deficiency to Ex-Im\nManagement, we held further discussions with OCIO on the details of the deficiency, including the audit\ndocumentary evidence and our corroborations with OCIO. Subsequently, OCIO delivered additional\ndocumentation pulled from email archives and reproduced from network logs as audit documentary\nevidence to note that: 1) compensating controls were in place to detect a security breach for the two days\nnoted as testing exceptions; and, 2) emails created on the two days noted as exceptions to demonstrate\nthat activity by Ex-Im Network Security existed related to the missing Daily Security Monitoring Reports.\nWe evaluated the audit evidence delivered by OCIO after our fieldwork, and we concluded that the\ndeficiency in operating effectiveness existed as the properly designed control did not operate as designed\nfor the dates noted.\n\nCriteria:\n\nThe Daily Security report should be retained as an audit evidence of the monitoring, review and actions\ntaken as required for attempted IT infrastructure security breaches, anti-virus infections, vulnerabilities\nand availability issues.\n\nCause:\n\nWe understand that due to gaps in employment and shifting of employee responsibilities, audit evidence\nwas not maintained or did not sufficiently document actions taken on the Daily Security Monitoring\nreports for the two days mentioned above.\n\n\n\n\n                                                    -8-\n\x0cEffect or Potential Effect:\n\nManagement may not be able to detect and correct attempted security breaches, anti-virus infections,\nvulnerabilities and availability issues, if the Daily Security Monitoring report and actions taken on the\nreport were not retained. While this control has been properly designed to be performed on a daily basis\nand logging controls are in place, the evidence documenting the monitoring and actions taken were not\nretained as an evidence of effective operating control.\n\nRecommendation:\n\nWe recommend that management ensure all actions taken on the Daily Security Monitoring report are\ndocumented and retained.\n\nManagement Response:\n\nManagement agrees with the recommendation. The staff did perform the work and distributed the reports\nassociated with the daily IT security activities for the dates audited, but the artifacts for two of these dates\nwere not saved in the designated folders. The 2 artifacts were located and provided later to the auditors.\nThe systematic retention of these artifacts for the purpose of providing them to the auditors has been\ncorrected. Weekly reviews of the folder for these files are being performed by the Quality Assurance team\nto ensure the documents were all saved for that week.\n\nIn addition, we are in the process of implementing a new IT Security Enterprise Management system\nproviding enhanced capabilities for intelligent event management We will discontinue the manual process\nof manually integrating information on security-related events and preparing and storing the Daily IT\nSecurity Report.\n\nSECTION II \xe2\x80\x94 OTHER MATTERS\n\nRefer to Appendix A below for the status of the FY 2011 management letter comments.\n\nSECTION III \xe2\x80\x94 DEFINITIONS\n\nThe definitions of a deficiency, a material weakness, and a significant deficiency are as follows:\n\nA deficiency in internal control over financial reporting exists when the design or operation of a control\ndoes not allow management or employees, in the normal course of performing their assigned functions, to\nprevent, or detect and correct misstatements on a timely basis. A deficiency in design exists when (a) a\ncontrol necessary to meet the control objective is missing or (b) an existing control is not properly\ndesigned so that, even if the control operates as designed, the control objective would not be met. A\ndeficiency in operation exists when (a) a properly designed control does not operate as designed, or\n(b) the person performing the control does not possess the necessary authority or competence to perform\nthe control effectively.\n\nA material weakness is a deficiency, or a combination of deficiencies, in internal control over financial\nreporting, such that there is a reasonable possibility that a material misstatement of the entity\xe2\x80\x99s financial\nstatements will not be prevented, or detected and corrected on a timely basis.\n\n\n\n\n                                                     -9-\n\x0cA significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial\nreporting that is less severe than a material weakness, yet important enough to merit attention by those\ncharged with governance.\n\n                                                 ******\n\n\n\n\n                                                    - 10 -\n\x0c                                                                                        APPENDIX A\n\nThe table below provides the status of the FY 2011 management letter comments:\n\nControl deficiencies:\n\n                                                Elevated to                         Adequately\n                                                               Still Relevant\n No.          Prior Year Comments                Material                         Resolved or No\n                                                               and Repeated\n                                                Weakness                          Longer Relevant\n\n\n 1.    Loss Factor Historical Claims data                                                 X\n\n\n 2.    Trade Credit Insurance Originations                                                X\n\n\n       Reprographic Error on the Published\n 3.                                                                                       X\n       Annual Report\n\n\n 4.    Inaccurate Risk Rating                                                             X\n\n\n       Short Term Single Buyer Insurance\n 5.                                                                                       X\n       Subsidy Calculation\n\n\n 6.    Monitoring of Credits \xe2\x80\x9cIn Transfer\xe2\x80\x9d                                                X\n\n\nThe table below provides the status of the significant deficiency reported in FY 2011\xe2\x80\x99s Independent\nAuditors\xe2\x80\x99 Report on Internal Control over Financial Reporting and On Compliance and Other Matters\nBased upon the Audit Performed in Accordance With Government Auditing Standards.\n\nSignificant deficiency:\n\n                                                Elevated to                         Adequately\n                                                               Still Relevant\n No.          Prior Year Comments                Material                         Resolved or No\n                                                               and Repeated\n                                                Weakness                          Longer Relevant\n            Subsidy Re-estimate on Foreign\n                                                                                              X\n 1.         Transactions\n\n\n\n\n                                                 - 11 -\n\x0cOffice of Inspector General\nExport-Import Bank of the United States\n811 Vermont Avenue, NW\nWashington, DC 20571\n202-565-3908\nwww.exim.gov/oig\n\x0c'